docs/documentation/platform/sso/google-saml.mdx
Next, note the **ACS URL** and **SP Entity ID** to use when configuring the Google SAML application.
2.2. In the **App details** tab, give the application a unique name like Infisical.
2.3. In the **Google Identity Provider details** tab, copy the **SSO URL**, **Entity ID** and **Certificate**.
2.4. Back in Infisical, set **SSO URL** and **Certificate** to the corresponding items from step 2.3.
2.5. Back in the Google Admin console, in the **Service provider details** tab, set the **ACS URL** and **Entity ID** to the corresponding items from step 1.
Also, check the **Signed response** checkbox.
2.6. In the **Attribute mapping** tab, configure the following map:
- **First name** -> **firstName**
- **Last name** -> **lastName**
- **Primary email** -> **email**
<Note>
If you want to sync Google groups to Infisical groups, you can also configure:
- **groups** -> **groups**
This requires setting up group claims in Google Workspace. See the [Group Membership Mapping](#saml-group-membership-mapping) section below for details.
</Note>
Click **Finish**.
</Step>
<Step title="Assign users in Google Workspace to the application">
Back in your [Google Admin console](https://support.google.com/a/answer/182076), head to Menu > Apps > Web and mobile apps > your SAML app
and press on **User access**.
To assign everyone in your organization to the application, click **On for everyone** or **Off for everyone** and then click **Save**.
You can also assign an organizational unit or set of users to an application; you can learn more about that [here](https://support.google.com/a/answer/6087519?hl=en#add_custom_saml&turn_on&verify_sso&&zippy=%2Cstep-add-the-custom-saml-app%2Cstep-turn-on-your-saml-app%2Cstep-verify-that-sso-is-working-with-your-custom-app).
</Step>
<Step title="Enable SAML SSO in Infisical">
Enabling SAML SSO allows members in your organization to log into Infisical via Google Workspace.
</Step>
<Step title="Enforce SAML SSO in Infisical">
Enforcing SAML SSO ensures that members in your organization can only access Infisical
by logging into the organization via Google.
To enforce SAML SSO, you're required to test out the SAML connection by successfully authenticating at least one Google user with Infisical;
Once you've completed this requirement, you can toggle the **Enforce SAML SSO** button to enforce SAML SSO.
<Warning>
We recommend ensuring that your account is provisioned the application in Google
prior to enforcing SAML SSO to prevent any unintended issues.
</Warning>
<Info>
In case of a lockout, an organization admin can use the [Admin Login Portal](https://infisical.com/docs/documentation/platform/sso/overview#admin-login-portal) in the `/login/admin` path e.g. https://app.infisical.com/login/admin.
</Info>
</Step>
Automatically sync Google Workspace group memberships to Infisical.
<Steps> <Step title="Add groups attribute mapping in Google"> In your Google Admin console SAML app, go to **Attribute mapping** and add: - **Google groups**: Include all groups you want to include in the SAML claim. Only these groups will be synced to Infisical.
- **App attribute**: `groups`
</Step>
<Step title="Enable SAML Group Membership Mapping in Infisical">
Back in Infisical, under Organization Settings, enable **SAML Group Membership Mapping** in the **Single Sign-On (SSO)** tab.
</Step>
<Step title="Group synchronization on login">
Once configured, Google groups will now be automatically synchronized when users log in through SAML. Users will be added to or removed from Infisical groups based on their current Google group memberships.
</Step>
References: